Create Investigations
- On the main toolbar, click Investigate.
The LogRhythm Investigator Wizard appears. - Select Configure New Investigation, and then click Next.
- Under Select Search Type, select the type of data to return:
- Platform Manager Search. Only returns events.
- Data Processor Search. Only returns log metadata and events.
- LogMart Search. Returns aggregate data and statistics by Log Miner.
- Load Raw Log with Query Results. Returns raw log data. It is not available for LogMart investigations.
- In the Select Date Range to Query section, set the range for the log/event data to query.
- Click Next.
- To select which Log Sources to search for logs/events, choose one of these options:
- All available Log Sources. All log sources available to your user account will be queried.
- Selected Log Source Lists. Select which Log Source Lists to query from the grid that appears.
- Selected Log Sources. Select which Log Sources to query from the grid that appears.
- Click Next.
Select an option from the Add New Field Filter. For detailed instructions on adding filters, see Use the Filter Editor.
The User (Impacted/Origin) by Active Directory Group filter is not available to Restricted Analysts. Restricted Analysts may run objects that reference a User (Impacted/Origin) by Active Directory Group filter in saved Investigations.
- Click Next.
- Select the log repositories to include in the query:
- Query the Platform Manager. Select this option to include the Platform Manager database in the query.
- Query all default Log Repositories. Select this option to include all default Log Repositories in the query.
- Query the following Log Repositories. Select this option to choose the Log Repositories you want to include in the query. The list of Log Repositories becomes active and you can select the check boxes of the repositories you want.
- In the Settings section, configure the following settings:
Maximum logs to query. The maximum number of logs/events to query from the database. If the number of logs in the database exceeds this value, only the oldest logs from the specified date range are returned. Enter 0 for unlimited
- Aggregate log cache size. The query begins at the earliest specified date/time and moves forward, not stopping when the limit is reached. It removes the oldest logs from the cache to make room for newer ones which could result in just a subset of the total queried logs available for viewing (between 0 and 10,000).
- Log cache size. The query begins at the earliest specified date/time and moves forward, not stopping when the limit is reached. It removes the oldest logs to make room for newer ones which could result in just a subset of the total queried logs being available for viewing (between 1,000 and 10,000).
- Query timeout. How long the query can run before it times out (between 5 and 3,600 seconds).
- (Optional) Layout. If the investigation has a layout assigned to it, the layout name appears under Layout. See Layouts for more information.
- Click Next.
- (Optional) Save this Investigation so you can use it again without doing all the set up:
- Type a name and description.
Select the permissions.
User Role Investigate Permissions Private Public-All Users Public-Global Admin Public-Global Analyst GlobalAdmin None Edit-Full Edit-Full Edit-Full RestrictedAdmin None Read/Run None Read/Run GlobalAnalyst None Read/Run None Read/Run RestrictedAnalyst None Read/Run None None Owner Edit-Full Edit-Full Edit-Full Edit-Full - Set the Record Type.
- (Optional) Configure Intelligent Indexing.
- Select Enable Intelligent Indexing.
- Select Enable Expiration.
- Click Save.
- (Optional) To export the report directly to a file, click Export.
The LogRhythm Log Exporter Wizard appears.
For more information, see Import and Export Saved Investigations. - To start the query, click Launch.
You can view the progress of the Investigation at the bottom of the query window. The Logs Processed, Logs Cached, and Logs Displayed fields indicate how many logs were queried, returned, and are available for viewing.
To narrow these search results even further, you can Run Correlate.